It copies itself to the following locations: • %TEMPDIR%\nodqq.exe • %drive%\9rfpp.exe • %drive%\xexh.exe

It deletes the initially executed copy of itself.

It deletes the following files: • %TEMPDIR%\am1.rar • %TEMPDIR%\am.exe

The following files are created:

– %drive%\autorun.inf This is a non malicious text file with the following content: • %code that runs malware%

– %TEMPDIR%\nodqq0.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Magania.daxl

– %TEMPDIR%\dsoqq.exe – %TEMPDIR%\dsoqq0.dll

It tries to download a file:

– The location is the following: • www.goo**********.com/1mg/am1.rar It is saved on the local hard drive under: %temporary internet files%\Content.IE5\YGRGUTKK\am[1].rar Furthermore this file gets executed after it was fully downloaded.

It tries to executes the following file:

– Filename: • %TEMPDIR%\am.exe

Registry

The following registry key is added in order to run the process after reboot: